Bug 1850540

Summary: [RHEL8/Bug] SELinux violation iptables to plymouth
Product: Red Hat Enterprise Linux 8 Reporter: Oliver Falk <ofalk>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 8.2CC: lvrabec, mmalik, peter.vreman, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-12 15:46:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1122832    

Description Oliver Falk 2020-06-24 13:18:55 UTC
Description of problem:
We see a SELinux issue in customer environment during boot, with iptables-services enabled:

    # audit2allow -a

    #============= iptables_t ==============
    allow iptables_t plymouthd_t:unix_stream_socket connectto;

Version-Release number of selected component (if applicable): -

How reproducible: Unknown

Steps to Reproduce:
According to the customer report, this is happening on all their RHEL 8.2 with iptables-services installed, but so far, I wasn't able to reproduce it on one of my RHEL 8 boxes.

Actual results: SELinux hit

Expected results: No deny seen.

Additional info:
Customer case linked.

Comment 1 Zdenek Pytela 2020-06-24 13:38:32 UTC

We need more information to be able to assess this issue. Please gather audited AVC denials:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot

The reproducing steps would also be helpful when available, or a list of related changes made to the default state of the system.

Comment 2 Oliver Falk 2020-06-24 14:11:31 UTC
Hey Zdenek!

I tried to find a reproducer but failed until now.
I'll ask the CU to provide me with the data from your mentioned ausearch!

I'm going to get back to you, once I have the information!


Comment 5 Oliver Falk 2020-06-25 11:41:50 UTC
Thanks Peter for directly providing the additional information here on this BZ - I've put them now "private", since this BZ is open.

@Zdenek, can you work with this additional information?


Comment 6 Zdenek Pytela 2020-06-25 13:51:15 UTC
Hi all,

Thank for sharing the details. It needs to be figured out why plymouth runs in iptables_t domain.

  # sesearch -A -s iptables_t -t plymouthd_t -c unix_stream_socket -p connectto
  # sesearch -A -s plymouth_t -t plymouthd_t -c unix_stream_socket -p connectto
allow plymouth_t plymouthd_t:unix_stream_socket connectto;

I was unable to reproduce it with just installing and enabling iptables-service, so wonder what else is required to trigger these denials.

Comment 18 Zdenek Pytela 2021-01-12 15:46:13 UTC
Closing per feedback the issue is no longer valid.